Automated signature generation algorithm for polymorphic worms based on improved TF-IDF

被引：0

作者：

Wang F. ^{[1
]}

Yang S. ^{[1
]}

Zhao D. ^{[1
]}

Wang C. ^{[1
]}

机构：

[1] Key Lab of Network and Information Security of Hebei Province, College of Computer and Cyber Security, Hebei Normal University, Shijiazhuang

来源：

Huazhong Keji Daxue Xuebao (Ziran Kexue Ban)/Journal of Huazhong University of Science and Technology (Natural Science Edition) | 2020年 / 48卷 / 02期

关键词：

Intrusion detection system; Polymorphic worm; Signature generation; Term frequency-inverse document frequency (TF-IDF); Worm detection;

D O I：

10.13245/j.hust.200214

中图分类号：

学科分类号：

摘要：

An automated signature generation algorithm based on the improved term frequency-inverse document frequency (TF- IDF) was proposed.Firstly, the signature hashing was used to assign different substring weights according to their positions, and compress the high-dimensional vectors into low-dimensional ones to improve efficiency.Secondly, the original IDF algorithm was improved by introducing the check values to reduce the weight of some rare substrings.Finally, these substrings were sorted according to their weights to generate the final signatures.The algorithm was tested by several kinds of polymorphic worms and compared with existing methods.The experimental results show that the algorithm can generate polymorphic worm signatures accurately and efficiently in the existence of noises, and be superior to the current methods in accuracy and efficiency.It can save the states of worm signatures with a good scalability. © 2020, Editorial Board of Journal of Huazhong University of Science and Technology. All right reserved.

引用

页码：79 / 84

页数：5

共 17 条

[1]

Kaur R., Singh M., A survey on polymorphic worm detection techniques, IEEE Communications Surveys Tutorials, 16, 3, pp. 1520-1549, (2014)

[2]

Tarfa H., Rozita D., Stefan C.K., Network intrusion detection system based on recursive feature addition and bigram technique, Computers and Security, 73, 3, pp. 135-155, (2018)

[3]

Saurabh S., Pradip K.S., Seo Y.M., Et al., A hybrid layered architecture for detection and analysis of network based zero-day attack, Computer Communications, 106, 2, pp. 100-106, (2017)

[4]

Kreibich C., Crowcroft J., Honeycomb: creating intrusion detection signatures using honeypots, Proc of the Workshop on Hot Topics in Networks (HotNets), pp. 271-276, (2003)

[5]

Kim H.A., Karp B., Autograph: toward automated, distributed worm signature detection, Proc of the 13th Conference on USENIX Security Symposium, pp. 271-286, (2004)

[6]

Newsome J., Karp B., Song D., Polygraph: auto- matically generating signatures for polymorphic worms, Proc of the 2005 IEEE Symposium on Security and Privacy, pp. 226-241, (2005)

[7]

Wang L., Li Z., Chen Y., Et al., Thwarting zero-day polymorphic worms with network-level length-based signature generation, IEEE/ACM Transactions on Networking, 18, 1, pp. 53-66, (2010)

[8]

Stephenson B., Sikdar B., A quasi-species model for the propagation and containment of polymorphic worms, IEEE Trans.Computers, 58, 9, pp. 1289-1296, (2009)

[9]

Sun W., Chen Y., A rough set approach for automatic key attributes identification of zero-day polymorphic worms, Expert Systems with Applications, 36, 2, pp. 4672-4679, (2009)

[10]

Iwahashi R., Oliveira D.A.S., Wu S., Et al., Towards automatically generating double-free vulnerability signa- tures using Petri Nets, Proc of International Conference on Information Security, pp. 114-130, (2008)

← 1 2 →